On 26.03.18 19:16, Yuri wrote:
SSH immediately notice you
when server key surprisingly changed.
26.03.2018 21:36, Matus UHLAR - fantomas пишет:
only when you already have the host key installed in your client. If
there's
MITM attack before you get the key, you will not notice that, unless you
get the key by other (secure) way.
On 26.03.18 21:45, Yuri wrote:
By analogue with TLS - let's imagine I've already been on site. With SSH
client notify me - "Hey, man, you trying to connect to server with ....
fingerprint. Add it Yes/No?"
Instead this, TLS never notify me if third-party CA is known to client.
TLS was designed with periodic key rollout after a time, while SSH was not.
you must take care of it manually, or not atall.
SSH was (apparently) designed with possibility of (semi-)physical access to the
server, so you can verify keys personally.
This is not applicable with TLS, where everyone should be able to
communicate with everyone.
this way SSH is more similar to PGP where users have to exchange their
public keys to be trusted.
(you can get keys from trusted friend which is in fact simmilar to CA).
unlike SSL, SSH was not designed to be used globally between everyone,
more
within one or more "friend" organizations, so it didn't specify how host
keys are verified (the SSHFP DNS record just transfers trust to DNS,
which
can be hijacked too).
To be honest, a weak argument. A secure connection should always be
encrypted end-to-end and should not "trusted" third-parties as well.
Never. Otherwise it is insecure connection. IMHO.
the SSL is encrypted end-to-end. Trusted third-party CAs are just way to
avoid the need of everyone going to every company owning a site for the
server keys once in its lifetime (uaually a year).
even CA doesn't see your communication, unless they make the MITM attack
themselves.
Yes, users is involved in both cases. However the difference still here.
SSH is end-to-end always by design (we're not talking about things like
Kerberos here), TLS is not.
TLS was designed to be end-to-end encryption and the certificate
authority
As Stanislavsky said, "I do not believe it!"
End-to-end encryption and the (/trusted third-party/) certificate
authority these are antonyms.
Well, you can tell this to your clients but the main point - breaking into
users' communication that is supposed to be unbreakable by you - is
something you must explain to your clients and possibly to the lawyers.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users